HOWTO: On-access virus scanning on FC5/FC6

Kevin Kofler kevin.kofler at chello.at
Mon Oct 23 07:05:58 UTC 2006


HOWTO: On-access virus scanning on FC5/FC6
by Kevin Kofler

This HOWTO describes how to enable on-access virus scanning with Clamuko (clamd
and Dazuko, i.e. using only Free Software) on Fedora Core 5 or 6. It should 
also
work on older Fedora releases. Unlike other methods to install Dazuko on 
Fedora,
no kernel recompile is needed, only a compilation of a small module against the
running kernel, thanks to patches developed by Sami Tikka and me. This version
of the HOWTO has been updated for the 2.6.18 kernel (FC5-updates, FC6) and
Dazuko 2.3.1.

WARNINGS AND IMPORTANT NOTES:
* Given the current malware landscape, on-access virus scanning is usually NOT
NEEDED on GNU/Linux systems. So unless you're really paranoid, these
instructions are useful only to protect directories shared with more vulnerable
systems.
* On-access scanning is a HUGE PERFORMANCE HOG, especially if you're watching
the entire file system! While it doesn't go as far as making the system
unusable, it does slow things down considerably, and some things like Konqueror
context menus are REALLY SLOW. As usual, there is a tradeoff between 
performance
and security.
* Right now, the Dazuko patches mentioned below are ONLY FOR 32-BIT X86 
systems.
At least the execute hook needs porting for other architectures.
* The procedure below should be run entirely as root.
* Running clamd as root is a security risk! But it is required to support 
Dazuko
on-access scanning ("For security reasons Dazuko will only operate with
processes that are running as root."), so there's no other option.
* These instructions are provided in the hope that they will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. The entire risk as to the quality and
performance of these instructions is with you. Should the instructions prove
defective, you assume the cost of all necessary servicing, repair or 
correction.
IN NO EVENT unless required by applicable law will the author be liable to you
for damages, including any general, special, incidental or consequential 
damages
arising out of the use or inability to use the instructions (including but not
limited to loss of data or data being rendered inaccurate or losses sustained 
by
you or third parties or a failure of the instructions to operate with any other
programs), even if the author has been advised of the possibility of such
damages. Proceed AT YOUR OWN RISK.

STEPS:
1. Obtain Dazuko 2.3.1 from http://www.dazuko.org/
2. Obtain the FC5/FC6 patch from:
   http://savannah.nongnu.org/patch/?5398
   You need file #11011 (dazuko_linux.c-utrace.diff).
3. Untar Dazuko:
   tar xvzf dazuko-2.3.1.tar.gz
   cd dazuko-2.3.1
4. Apply the patch:
   patch dazuko_linux.c <../dazuko_linux.c-utrace.diff
5. Install kernel-devel: yum install kernel-devel
   (NOTE: kernel-devel must match your running kernel.)
6. Configure Dazuko:
   ./configure --enable-syscalls --mapfile=/boot/System.map-`uname -r` \
   --sct-readonly
7. Compile Dazuko: make
8. Install Dazuko: make install
9. Install clamd: yum install clamav-server
10. Configure clamd: Create an /etc/clamd.conf and put this into it:
LocalSocket clamuko
ClamukoScanOnAccess
ClamukoScanOnOpen
ClamukoScanOnClose
ClamukoScanOnExec
ClamukoIncludePath /
ClamukoExcludePath /dev
ClamukoExcludePath /proc
ClamukoExcludePath /sys
    (WARNING: Don't forget the exclude paths or you may lockup your system.)
11. Start Dazuko: modprobe dazuko
12. Start clamd: clamd
(NOTE: Steps 11-12 need to be repeated after each reboot.)

Don't forget to update your virus databases regularly (using the freshclam tool
in the clamav-update package).

Hoping Dave Jones won't kill or torture me for posting this ;-)
        Kevin Kofler




More information about the fedora-list mailing list